From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Sesterhenn Subject: Re: Filesystem fuzzing Date: Wed, 21 May 2008 10:26:37 +0200 Message-ID: <20080521082636.GA4311@alice> References: <20080519100737.GA7764@alice> <1211298026.6389.5.camel@norville.austin.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: linux-fsdevel@vger.kernel.org, jfs-discussion@lists.sourceforge.net To: Dave Kleikamp Return-path: Received: from mail.gmx.net ([213.165.64.20]:37548 "HELO mail.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752904AbYEUI0o (ORCPT ); Wed, 21 May 2008 04:26:44 -0400 Content-Disposition: inline In-Reply-To: <1211298026.6389.5.camel@norville.austin.ibm.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: * Dave Kleikamp (shaggy@linux.vnet.ibm.com) wrote: > On Mon, 2008-05-19 at 12:07 +0200, Eric Sesterhenn wrote: > > hi, > > > > i do some regular filesystem fuzzing, based on a modified version > > of lmhs fsfuzzer. I try to test current -git at least once a week. > > Most modifications are adding of new filesystems or mounting > > them with different options, but i also added > > some new tests like invoking iozone, fsx or fsstress if available > > > > I currently test vfat, udf, msdos, swap, iso9660, ext2, > > ext3, ext4, hfs, hfsplus, gfs2, ntfs, minix, qnx4, affs and bfs > > You didn't mention jfs. If you want to test that, you can report any > bugs to me or to jfs-discussion@lists.sourceforge.net. ah, i removed jfs somewhen because the mkfs.jfs doesnt work if the file is smaller than 16mb, i readded it and got a first oops for you [52500.590030] ERROR: (device loop1): diRead: i_ino != di_number [52500.590308] BUG: unable to handle kernel NULL pointer dereference at 00000237 [52500.590518] IP: [] iput+0xa/0x50 [52500.590642] *pde = 00000000 [52500.590749] Oops: 0000 [#2] PREEMPT DEBUG_PAGEALLOC [52500.590958] Modules linked in: nfsd exportfs [52500.591155] [52500.591220] Pid: 6938, comm: mount Tainted: G D (2.6.26-rc3 #26) [52500.591304] EIP: 0060:[] EFLAGS: 00010282 CPU: 0 [52500.591356] EIP is at iput+0xa/0x50 [52500.591356] EAX: fffffffb EBX: fffffffb ECX: 00000001 EDX: 00000000 [52500.591356] ESI: c9811920 EDI: cbd5f780 EBP: cbc67e34 ESP: cbc67e30 [52500.591356] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 [52500.591356] Process mount (pid: 6938, ti=cbc67000 task=cbeb3f00 task.ti=cbc67000) [52500.591356] Stack: fffffffb cbc67e5c c0316078 cbc67e4c fffffffb 00000000 00000000 00000002 [52500.591356] 00000000 c9811920 00000000 cbc67ea0 c01827ff cf415d40 c07b93c0 cf415d40 [52500.591356] c9811920 706f6f6c 00000031 c01971ed c07e4ddc c01971ed 000000d0 cf32e6c0 [52500.591356] Call Trace: [52500.591356] [] ? jfs_fill_super+0x268/0x2a0 [52500.591356] [] ? get_sb_bdev+0xef/0x120 [52500.591356] [] ? alloc_vfsmnt+0xdd/0x120 [52500.591356] [] ? alloc_vfsmnt+0xdd/0x120 [52500.591356] [] ? jfs_get_sb+0x22/0x30 [52500.591356] [] ? jfs_fill_super+0x0/0x2a0 [52500.591356] [] ? vfs_kern_mount+0x3a/0x90 [52500.591356] [] ? do_kern_mount+0x39/0xd0 [52500.591356] [] ? do_new_mount+0x65/0x90 [52500.591356] [] ? do_mount+0x15a/0x1b0 [52500.591356] [] ? __get_free_pages+0x1b/0x30 [52500.591356] [] ? copy_mount_options+0x38/0x140 [52500.591356] [] ? getname+0xa7/0xc0 [52500.591356] [] ? sys_mount+0x6f/0xb0 [52500.591356] [] ? sysenter_past_esp+0x6a/0xb1 [52500.591356] ======================= [52500.591356] Code: 4f fa ff 5d c3 8d b6 00 00 00 00 8d bf 00 00 00 00 55 89 e5 e8 d8 88 46 00 31 c0 5d c3 8d 74 26 00 55 85 c0 89 e5 53 89 c3 74 3d <83> b8 3c 02 00 00 40 74 37 8d 40 24 ba e0 ce 7a c0 e8 90 3c 1d [52500.591356] EIP: [] iput+0xa/0x50 SS:ESP 0068:cbc67e30 [52500.599040] ---[ end trace 299f5ea1b691e69f ]--- kerneloops.org also catched it, but the code is not disassembled yet, http://kerneloops.org/raw.php?rawid=13020&msgid= this is with linux-next from yesterday A copy of the image file is available here: http://www.cccmz.de/~snakebyte/jfs.7.img.bz2 Greetings, Eric